Re: Cannot resolve KDC error 11

Thanks for the IIS info – I had already checked on that myself and made sure
that support for both Kerberos and NTLM is allowed. So this is not causing
the problems.
I tried to post the output.txt to the newsgroup – but could not figure out
how to upload this. So I e-mailed you the compressed output file directly.

Thanks again for your help - TC


"Crina Li (MSFT)" wrote:

> Hi Thorsten,
>
> Thanks for your reply.
>
> It may be the entry is necessary for the CRM. So when you delete it, CRM
> will not work. Sometime, it may be caused by Microsoft Internet Information
> Services (IIS) is not enabled for both Kerberos and NTLM authentication.
> Regarding how to configure IIS to support both Kerberos and NTLM
> authentication, please refer to the following KB article:
>
> 215383 How To Configure IIS to Support Both Kerberos and NTLM Authentication
> http://support.microsoft.com/?id=215383
>
> If the problem still persists, please using the following command to help
> me to collect the information (I am sorry for the incorrect command in me
> previous reply, thanks for your understanding):
>
> < ldifde -f output.txt -d "DC=REINA,DC=local">
>
> Compress output.txt file and post it to newsgroup.
>
> Thanks for your time and I look forward to your reply.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> | Thread-Topic: Cannot resolve KDC error 11
> | From: =?Utf-8?B?VGhvcnN0ZW4gQ2hsdXBw?=
> <ThorstenChlupp@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | | Subject: Re: Cannot resolve KDC error 11
> | Date: Tue, 24 May 2005 11:44:01 -0700
> || Newsgroups: microsoft.public.windows.server.sbs
> | |
> | Thanks a lot for looking at the log and getting back to me.
> |
> | I followed your instructions and delete the entry - this resulted in CRM
> not
> | being accessible anymore. I changed the delete entry by replacing
> “host” with
> | “http” which seemed to have resolved this issue. I don’t get any
> more error
> | logs for “There are multiple accounts with name
> host/rpc-server.reina.local
> | of type DS_SERVICE_PRINCIPAL_NAME.”
> |
> | Still remaining is the error log for “There are multiple accounts with
> name
> | cifs/RPC-SERVER of type DS_SERVICE_PRINCIPAL_NAME.”
> |
> | I tried to follow your instruction for the ldp command but always get the
> | following error message in the ldap console:
> |
> | ld = ldap_open("DC=REINA,DC=local", 389);
> | Error <0x51>: Fail to connect to DC=REINA,DC=local.
> |
> | I tried to locate the duplicate doing a search in Ldap but it does not
> come
> | up with any entries. Same result when I search with the ldifde command.
> | Apparently I am missing something - any help is greatly appreciated!
> |
> | -----------
> | ***Searching...
> | ldap_search_s(ld, "DC=REINA,DC=local", 2,
> | "Serviceprincipalname=cifs/rpc-server.reina.local", attrList, 0, &msg)
> | Result <0>: (null)
> | Matched DNs:
> | Getting 0 entries:
> |
> | ***Searching...
> | ldap_search_s(ld, "DC=REINA,DC=local", 2,
> | "Serviceprincipalname=host/rpc-server.reina.local", attrList, 0, &msg)
> | Result <0>: (null)
> | Matched DNs:
> | Getting 1 entries:
> | >> Dn: CN=RPC-SERVER,OU=Domain Controllers,DC=REINA,DC=local
> | 5> objectClass: top; person; organizationalPerson; user; computer;
> | 1> cn: RPC-SERVER;
> | 1> distinguishedName: CN=RPC-SERVER,OU=Domain
> Controllers,DC=REINA,DC=local;
> | 1> name: RPC-SERVER;
> | 1> canonicalName: REINA.local/Domain Controllers/RPC-SERVER;
> |
> |
>
>
.

Relevant Pages

  • RE: Correct Domain User/Pass/Domain credentials rejected
    ... Authentication" checked vs. unchecked is that if it's unchecked, ... use NTLM or Kerberos, and Kerberos usually ends up being the winner. ... you can force IIS to only use NTLM: ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS7 with multiple web sites - Windows Auth only working on localhost
    ... Kerberos is not working. ... Keeping in mind that the web sites are all on ... "NTLM" to force NTLM only. ... Microsoft Online Community Support ...
    (microsoft.public.inetserver.iis.security)
  • RE: IIS Intermittent access forbidden
    ... hosting machine that is running IIS via Internet Explorer or browse ... A important point in your new thread is you are using host header ... methods - Kerberos and NTLM. ... IE and IIS may either choose NTLM ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Multiple websites in one IIS with Integrated Windows Authentication
    ... Configure IIS to send NTLM only for that website - at the moment IIS is ... sending both Negotiate (Kerberos) and NTLM as available authentication ... register an SPN for the FQDN of the website you are ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Auth -- double hop issue??
    ... But we are not talking about Kerberos, ... but I think that Integrated Windows authentication does ... resource on the same machine using NTLM, ... disabled in IIS, and HTTP request does not leave machine boundaries, ...
    (microsoft.public.dotnet.framework.aspnet.security)